b'         OFFICE OF INSPECTOR GENERAL \n\n\n\n\n                                  Catalyst for Improving the Environment\n\n\nAudit Report\n\n\n\n\n       EPA Needs to Strengthen\n       Financial Database Security\n       Oversight and Monitor Compliance\n\n       Report No. 2007-P-00017\n\n       March 29, 2007\n\x0cReport Contributors:\t             Rudolph M. Brevard\n                                  Chuck Dade\n                                  Corey Costango\n                                  Sejal Shah\n\n\n\n\nAbbreviations\n\nBAS          Budget Automation System\nCSIRC        Computer Security Incident Response Capability\nDBMS         Database Management System\nEPA          U.S. Environmental Protection Agency\nFDW          Financial Data Warehouse\nIFMS         Integrated Financial Management System\nISO          Information Security Officer\nIRMS         Integrated Resource Management System\nNIST         National Institute for Standards and Technology\nOCFO         Office of the Chief Financial Officer\nOEI          Office of Environmental Information\nOIG          Office of Inspector General\nOPPIN        Office of Pesticide Programs Information Network\nORD          Office of Research and Development\nOTOP         Office of Technology Operations and Planning\nSLATE        Strategic Leasing and Asset Tracking Enterprise\n\x0c                                                                                                       2007-P-00017\n\n                       U.S. Environmental Protection Agency                                           March 29, 2007\n\n                       Office of Inspector General\n\n\n                       At a Glance\n\n                                                                       Catalyst for Improving the Environment\n\n\nWhy We Did This Review           EPA Needs to Strengthen Financial Database Security\n                                 Oversight and Monitor Compliance\nWe sought to determine\nwhether the U.S.\n                                  What We Found\nEnvironmental Protection\nAgency (EPA) (1)                 We discovered weaknesses in how EPA offices (1) monitor databases for known\nimplemented and maintained       security vulnerabilities, (2) communicate the status of critical system patches, and\ndatabase hardware and            (3) monitor the use of and access to database administrator accounts and\nsoftware in accordance with      privileges. These weaknesses exist because EPA had not implemented security\nEPA policy requirements; and     processes to (1) actively monitor systems that share data with IFMS, (2) share and\n(2) secured critical financial   collect information on the implementation of critical system patches, and\ninformation by restricting       (3) effectively manage access controls. Without these processes, the integrity of\naccess to high-level database    critical data in key Office of the Chief Financial Officer (OCFO) systems could be\nfunctions, such as database      undermined. As a result, OCFO cannot ensure that the integrity of the data it\nadministrator authorities.       provides to senior Agency officials is adequately protected.\nBackground                       We also identified specific technical weaknesses in three of the financial databases\n                                 that share data with IFMS.\nEPA\xe2\x80\x99s core financial\napplication, the Integrated\n                                  What We Recommend\nFinancial Management System\n(IFMS), shares data with         We recommend that OCFO, the Office of Environmental Information (OEI), and\nmany financial management        the Office of Research and Development address areas where EPA could improve.\nsystem databases. An             Specifically, we recommend that:\ninadequately designed and\nimplemented security control\n                                     \xe2\x80\xa2\t OCFO update the Memorandum of Understanding process to include\ncould be more easily\n                                        formal security standards that require the program/regional offices to\nbreached, which could\n                                        actively monitor the security status of systems that share data with IFMS.\ncompromise the integrity of\nthe data IFMS uses for               \xe2\x80\xa2\t OEI strengthen, formalize, and evaluate the effectiveness of the followup\nfinancial reporting and                 procedures for obtaining complete responses from program and regional\ndecisionmaking.                         offices regarding high-level critical system patch alerts, as well as share\n                                        status reports on the implementation of critical system patches.\nFor further information,\ncontact our Office of                \xe2\x80\xa2\t The system owners for each reviewed application correct all identified\nCongressional and Public                system weaknesses, and develop a Plan of Action and Milestones in the\nLiaison at (202) 566-2391.              Agency\xe2\x80\x99s security weakness tracking system for all noted deficiencies.\nTo view the full report,\nclick on the following link:     The Agency agreed with all of our recommendations.\nwww.epa.gov/oig/reports/2007/\n20070329-2007-P-00017.pdf        Due to the sensitive nature of the report\xe2\x80\x99s technical findings, we removed\n                                 Appendices A, C, and D from the public version of the report.\n\x0c                      UNITED STATES ENVIRONMENTAL PROTECTION AGENCY\n                                   WASHINGTON, D.C. 20460\n\n\n                                                                                        OFFICE OF\n                                                                                   INSPECTOR GENERAL\n\n\n\n                                         March 29, 2007\n\nMEMORANDUM\n\nSUBJECT:\t EPA Needs to Strengthen Financial Database Security Oversight and\n          Monitor Compliance\n          Report No. 2007-P-00017\n\n\nFROM:          Patricia H. Hill\n               Assistant Inspector General for Mission Systems\n\nTO:            Lyons Gray\n               Chief Financial Officer\n\n               Molly A. O\xe2\x80\x99Neill \n\n               Assistant Administrator for Environmental Information \n\n\n               George M. Gray, Ph.D. \n\n               Assistant Administrator for Research and Development \n\n\n\nThis is our report on the subject audit conducted by the Office of Inspector General (OIG) of the\nU.S. Environmental Protection Agency (EPA). This report contains findings that describe the\nproblems the OIG has identified and corrective actions the OIG recommends. This report\nrepresents the opinion of the OIG and does not necessarily represent the final EPA position.\nFinal determinations on matters in this report will be made by EPA managers in accordance with\nestablished audit resolution procedures.\n\nThe estimated cost of this report \xe2\x80\x93 calculated by multiplying the project\xe2\x80\x99s staff days by the\napplicable daily full cost billing rates in effect at the time \xe2\x80\x93 is $356,118.\n\nAction Required\n\nIn accordance with EPA Manual 2750, the Office of the Chief Financial Officer is required to\nprovide a written response to this report within 90 calendar days. You should include a\ncorrective action plan for agreed upon actions, including milestone dates.\n\x0cThe Office of Environmental Information and Office of Research and Development do not have\nto provide a response to this report. The offices\xe2\x80\x99 response to the draft report contained an\nadequate corrective action plan with milestone dates to address the recommendations.\nAccordingly, we are closing this report on issuance.\n\nDue to the sensitive nature of the technical findings, we have removed Appendices A, C, and D\nfrom the report version made available to the public. The public copy of this report will be\navailable at http://www.epa.gov/oig. Additional copies of the full report can be obtained by\ncontacting our Office of Congressional and Public Liaison at (202) 566-2391.\n\nIf you or your staff has any questions, please contact me at 202-566-0894 or\nhill.patricia@epa.gov; or Rudolph M. Brevard, Director, Information Resources Management\nAssessments, at (202) 566-0893 or brevard.rudy@epa.gov.\n\x0c                 EPA Needs to Strengthen Financial Database Security Oversight\n                                   and Monitor Compliance\n\n\n\n\n                                Table of Contents \n\n\nChapters\n 1\t   Introduction ...........................................................................................................      1     \n\n\n              Purpose ..........................................................................................................    1         \n\n              Background ....................................................................................................       1         \n\n              Scope and Methodology.................................................................................                2         \n\n\n 2\t   Effective Oversight and Continuous Monitoring Needed to\n      Improve Financial Database Security..................................................................                         4\n\n              Consistent Practices Needed to Identify Weaknesses .................................                                 4\n\n              Improvements Needed in Reporting Status of Critical System Patches ........                                          5\n\n              Database Administrator Accounts and Privileges Not Managed Properly......                                            6\n\n              Recommendations .........................................................................................            7          \n\n              Agency Response and OIG Comments .........................................................                           8\n\n\n Status of Recommendations and Potential Monetary Benefits ................................                                        10 \n\n\n\n\nAppendices\n A    High-Level Summary of Specific Technical Weaknesses by\n      EPA Program Office and System.........................................................................                       11\n\n B    Non-Sensitive Portion of OCFO\xe2\x80\x99s and OEI\xe2\x80\x99s Combined Response\n      to Draft Audit Report.............................................................................................           12\n\n C    OCFO\xe2\x80\x99s Response to Recommendations Associated with\n      Sensitive Technical Control Weaknesses Disclosed in Appendix A ...............                                               16\n\n D    ORD\xe2\x80\x99s Response to Recommendations Associated with\n      Sensitive Technical Control Weaknesses Disclosed in Appendix A ...............                                               17\n\n E    Distribution ............................................................................................................    18\n\x0c                                Chapter 1\n                                 Introduction\n\nPurpose\n          We completed this audit to determine whether the U.S. Environmental Protection\n          Agency (EPA) (1) implemented and maintained database hardware and software\n          in accordance with EPA policy requirements; and (2) secured critical financial\n          information by restricting access to high-level database functions, such as\n          database administrator authorities.\n\nBackground\n          The Integrated Financial Management System (IFMS) is EPA\xe2\x80\x99s core financial\n          management accounting system. IFMS (1) supports the standard general ledger,\n          (2) is the source of data for preparing financial statements and budgetary reports,\n          and (3) supports program offices in managing and controlling funds. IFMS\n          depends heavily upon data processed by many other systems in order to provide\n          senior Agency officials with timely and accurate information. Although the\n          Office of the Chief Financial Officer (OCFO) is the IFMS system owner, many of\n          the financial management systems that share data with IFMS are managed by\n          other program offices. Therefore, OCFO must coordinate the implementation of\n          security controls between offices to protect the integrity of shared data.\n\n          OCFO must implement a security program that is consistent with EPA\xe2\x80\x99s current\n          security philosophy. Currently, EPA distributes the implementation and\n          management of information security to multiple organizations. Under the current\n          EPA security structure, the Office of Environmental Information (OEI) is\n          responsible for:\n\n             \xe2\x80\xa2\t Developing and defining the Agency\xe2\x80\x99s information security program in\n                accordance with all applicable Federal laws and regulations;\n\n             \xe2\x80\xa2\t Providing guidance on selecting and implementing safeguards; and\n\n             \xe2\x80\xa2\t Establishing the minimum information security control environment\n                required to protect both its automated data processing resources and its\n                information from theft, damage, and unauthorized use.\n\n          EPA regional and program offices are responsible for:\n\n             \xe2\x80\xa2\t Establishing an organization-wide information security program consistent\n                with Agency policy, and\n\n\n                                           1\n\n\x0c            \xe2\x80\xa2\t   Protecting information and applications by implementing (1) appropriate\n                 safeguards into all new organizational information systems, and (2) major\n                 modifications to existing systems.\n\nScope and Methodology\n         We conducted this audit in accordance with Government Auditing Standards,\n         issued by the Comptroller General of the United States. We conducted this audit\n         from January through July 2006 at the National Computer Center in Research\n         Triangle Park, North Carolina, and EPA Headquarters in Washington, DC. We\n         reviewed EPA database security policies and procedures. We tested configuration\n         settings for both the database and operating system software. We interviewed\n         EPA employees and contractors responsible for database maintenance and\n         security.\n\n         We selected a judgmental sample of five major financial management database\n         systems that share data with IFMS. We reviewed the following applications\n         during preliminary research:\n\n                   Application            Acronym                 Program Office\n         Budget Automation System              BAS   Office of the Chief Financial Officer\n         Financial Data Warehouse           FDW      Office of the Chief Financial Officer\n         Integrated Resource\n                                            IRMS     Office of Research and Development\n         Management System\n         Office of Pesticide Programs                Office of Prevention, Pesticides, and\n                                           OPPIN\n         Information Network                         Toxic Substances\n         Strategic Leasing and Asset                 Office of Administration and Resources\n                                           SLATE\n         Tracking Enterprise                         Management\n\n         We did not review PeoplePlus, EPA\xe2\x80\x99s combined human resources and payroll\n         application, because the OIG conducted a security review of the application\n         within the past 12 months.\n\n         During preliminary research, we (1) documented management controls\n         surrounding database security, and (2) tested the systems\xe2\x80\x99 configuration settings.\n\n            \xe2\x80\xa2\t Management Controls \xe2\x80\x93 We surveyed the respective system owners to\n               determine whether management issued formal policies and procedures for\n               the following key areas: database system configuration, database\n               administrator duties, and system maintenance management. We collected\n               and reviewed the responses, and conducted followup interviews with EPA\n               personnel and contractors. For each system, we reviewed the results of\n               management\xe2\x80\x99s latest security control tests.\n\n\n\n\n                                          2\n\n\x0c   \xe2\x80\xa2\t Systems\xe2\x80\x99 Configuration Settings \xe2\x80\x93 We conducted vulnerability testing of\n       the selected systems\xe2\x80\x99 databases and operating systems to identify common\n       security weaknesses. We used two vulnerability-testing tools recognized\n       by the National Institute for Standards and Technology (NIST). These\n       tools identify potential vulnerabilities and validate that the operating\n       systems and major applications have the latest software versions. We used\n       one tool to test application servers\xe2\x80\x99 operating systems for vulnerabilities.\n       We used the other tool to test the database software for vulnerabilities and\n       key database configuration settings. We provided our scanning results to\n       the respective program offices to evaluate the validity of the identified\n       high vulnerabilities. We were unable to conduct vulnerability testing of\n       OPPIN because the program office was relocating the system at the time\n       of our audit. As such, we eliminated OPPIN from our sample.\n\nDuring field work, we selected three of the five database systems for detailed\nreview. We based our selection on (1) whether an office had documented its\ndatabase security management control structure, and (2) the total number of\n\xe2\x80\x9chigh-risk\xe2\x80\x9d vulnerabilities discovered during preliminary testing. We selected\nBAS, FDW, and IRMS for further review.\n\nWe have not performed prior audits related to database security controls for these\nEPA systems. As such, there were no recommendations to follow up on during\nthis audit.\n\n\n\n\n                                 3\n\n\x0c                                Chapter 2\n    Effective Oversight and Continuous Monitoring\n    Needed to Improve Financial Database Security\n\n          We discovered weaknesses in how EPA offices (1) monitor financial databases\n          for known security vulnerabilities, (2) share information regarding the\n          implementation of critical system updates, and (3) monitor the use of and access\n          to database administrator accounts and privileges. EPA policies require offices to\n          establish an organization-wide information security program consistent with\n          Agency policy. This includes establishing processes for actively monitoring\n          systems, promptly implementing systems updates, and effectively managing\n          access to network resources and systems. OCFO\xe2\x80\x99s policy requires system owners\n          to enter into a Memorandum of Understanding (MOU) when their system\n          interfaces with IFMS. However, this current security oversight process does not\n          incorporate methods that actively monitor the security status of these systems\n          once the MOU is signed. In addition, this policy does not currently apply to\n          systems using means other than an electronic interface to share data with IFMS.\n          As a result, OCFO has limited assurance that the security controls of critical\n          systems adequately protect the accuracy of financial data used for decisionmaking\n          and financial reporting. OCFO needs a more collaborative framework and\n          stronger oversight processes to ensure that systems, which share financial data\n          with IFMS, comply with prescribed Agency security practices.\n\nConsistent Practices Needed to Identify Weaknesses\n          Offices lack consistent processes to conduct vulnerability testing of systems to\n          identify and correct commonly known security weaknesses. NIST states that it is\n          imperative that organizations routinely test systems for vulnerabilities and\n          misconfigurations to reduce the likelihood of system compromise. EPA policy\n          2195.1A4, Agency\xe2\x80\x99s Network Security Policy, requires EPA offices to monitor,\n          test, evaluate, and verify their systems to ensure adequate security in accordance\n          with information sensitivity and other Federal and Agency requirements. Based\n          on interviews with the system owners, we determined that the frequency of\n          vulnerability testing was inconsistent among offices. The vulnerability testing\n          schedules ranged from monthly to only performing the testing in conjunction with\n          completing the major risk assessment, which usually takes place every 3 years.\n          During the time between risk assessments, OCFO does not utilize processes to\n          check the security status of systems that share data with IFMS. As a result,\n          OCFO relies on the implementation of security controls that have become, over\n          time, ineffective due to system changes and emerging system weaknesses.\n\n          Our vulnerability test results identified 47 \xe2\x80\x9chigh-risk,\xe2\x80\x9d commonly-known security\n          vulnerabilities among the three database systems. Each system had at least 13\n\n\n                                           4\n\n\x0c                 \xe2\x80\x9chigh-risk\xe2\x80\x9d vulnerabilities. Some of the identified vulnerabilities had the\n                 potential to affect the availability and integrity of the system\xe2\x80\x99s financial data.\n                 Management could have identified all of the noted vulnerabilities had OCFO\xe2\x80\x99s\n                 MOU process specified the frequency of vulnerability testing and the offices\n                 implemented a routine vulnerability testing process, as required by EPA policy.\n                 In addition, NIST Special Publication 800-42, Guideline on Network Security\n                 Testing, recommends that system owners conduct vulnerability testing at least\n                 quarterly to identify and correct vulnerabilities before they are exploited. NIST\n                 notes that organizations with an active, priority-driven security-testing program\n                 are in a much better position to make prudent investments to enhance the security\n                 posture of their systems.\n\n                 Since IFMS relies heavily on these database systems as the primary source for\n                 financial data, vulnerabilities in these systems could allow manipulated data to\n                 transfer between systems without notice. Consequently, users of IFMS data could\n                 potentially make decisions based on inaccurate data.\n\n                 We provided the program offices with copies of our vulnerability test results, and\n                 the offices indicated they are taking action to remediate the weaknesses.\n                 Appendix A contains a high-level summary of the specific technical weaknesses\n                 found in each application.\n\nImprovements Needed in Reporting Status of Critical System Patches\n                 OCFO lacks sufficient information to determine whether system owners for\n                 systems that share data implement critical system patches. Critical system\n                 patches are manufacturer updates to correct significant security vulnerabilities and\n                 include other fixes that are prerequisites for the security fixes included in the\n                 Critical Patch Update. EPA communicates critical system patches using a high-\n                 level alert issued by the Computer Security Incident Response Capability\n                 (CSIRC).1 The CSIRC Centralized Reporting Guidance requires the primary\n                 Information Security Officer (ISO) for each program and regional office to report\n                 status of implementation in accordance with the alert direction. We evaluated\n                 whether the applicable program offices adequately reported the implementation\n                 status for one high-level alert that affected the three reviewed systems sharing\n                 data with IFMS. We found that the primary ISO for the program office\n                 responsible for the IRMS system (Office of Research and Development [ORD])\n                 did not report the status for implementing the critical patch to CSIRC or to\n                 OCFO. Although ORD officials did not report the patch status to CSIRC, the\n                 office indicated that the patch was applied within the specified time period. This\n                 occurred, in part, because OCFO management had not implemented processes to\n                 (1) inform them when systems that share data requires a critical system patch, and\n\n1\n  OEI established CSIRC under the Office of Technology Operations and Planning (OTOP) to serve as the Agency\xe2\x80\x99s\ncentral system for receiving notifications regarding critical security updates for EPA\xe2\x80\x99s information resources.\nCSIRC is also responsible for notifying system owners when there is a major security update available for their\nrespective applications and tracking the system owners\xe2\x80\x99 progress in implementing the system update.\n\n\n                                                      5\n\n\x0c          (2) check whether all the systems with which IFMS shares data implemented\n          critical patches. OCFO needs these processes and information to maintain the\n          security and integrity of data shared with IFMS. Without this information, OCFO\n          cannot assess the impact of security threats to IFMS or weaknesses in database\n          systems that could affect the quality of data used for financial management and\n          decisionmaking.\n\n          We also determined that the CSIRC could improve its processes for collecting and\n          sharing information regarding the implementation of critical system patches. We\n          reviewed the CSIRC status report regarding each office\xe2\x80\x99s implementation of the\n          reviewed high-level alert. We found that 30 percent (7 of 23) of EPA offices\n          provided a complete response to the alert. A complete response indicated that the\n          office took the advised action or the action was not applicable. CSIRC officials\n          indicated that they follow up on incomplete responses with phone calls and\n          emails. However, CSIRC did not document these followup measures in its\n          procedure manual. Nonetheless, at the time of our field work, 4 months had\n          elapsed since the CSIRC issued the alert and many offices had not provided a\n          complete response. In addition, CSIRC does not maintain an inventory of\n          systems in order to determine which offices a particular critical system patch\n          impacts. Also, CSIRC does not share the status report regarding critical system\n          patches with program offices to help them identify and mitigate unresolved\n          security vulnerabilities in systems with which they share data. Sharing the status\n          of implemented critical system patches would (1) provide ISOs with a tool to\n          more proactively manage the security of their database systems, and (2) allow the\n          CSIRC to focus its limited resources on analyzing emerging security threats.\n          Because of these weaknesses, EPA\xe2\x80\x99s CSIRC lacks the capability to assess the\n          potential impact that unimplemented critical patches have on the Agency\xe2\x80\x99s\n          network resources.\n\nDatabase Administrator Accounts and Privileges Not Managed\nProperly\n          System owners do not adequately control users\xe2\x80\x99 access to and use of database\n          administrator accounts and privileges, as required by EPA policy 2195.1A4,\n          Agency\xe2\x80\x99s Network Security Policy. In particular, the policy requires passwords\n          and user login IDs to be unique and not shared. The policy also requires system\n          authorizations to be restricted to the minimum level of access necessary for a\n          person to do their job. Our testing found instances where:\n\n              \xe2\x80\xa2\t Multiple people were sharing database administrator account user login\n                 IDs and passwords. The database administrator account privileges\n                 provide complete and unrestricted access to all data in the database.\n                 When user login IDs and passwords are shared, EPA loses the ability to\n                 hold users accountable for their actions within the system.\n\n\n\n\n                                          6\n\n\x0c            \xe2\x80\xa2\t Users could excessively access sensitive database components or execute\n               high-level commands. A database component or \xe2\x80\x9cobject\xe2\x80\x9d could be the\n               database table or information stored in the database table. A high-level\n               command or \xe2\x80\x9cprivilege\xe2\x80\x9d allows the user to create or manipulate objects,\n               such as data tables and/or reassign system privileges to other personnel\n               without authorization.\n\n        Properly controlling/administering these features is important because they allow\n        management to (1) hold users that make inappropriate system changes\n        accountable, (2) limit system privileges of each user to only those the user needs\n        to perform their job, and (3) control unauthorized reassignment of system\n        privileges to other personnel.\n\n        These weaknesses exist, in part, because the OCFO\xe2\x80\x99s MOU process does not\n        specify the standards for monitoring the access and use of high-level database\n        accounts. In addition, the system owners did not implement effective\n        management control processes to ensure that security personnel comply with EPA\n        security policy. Furthermore, management had not implemented processes to\n        review access to and use of database administrator accounts and privileges. As a\n        result, offices granted many of the database security privileges in a way that\n        allowed users to re-assign their system access to other users without the\n        knowledge of the office. We provided the respective program offices with copies\n        of our test results, and the offices indicated that they are taking action to\n        remediate the weaknesses. Appendix A contains a high-level summary of the\n        specific technical weaknesses found in each application.\n\nRecommendations\n               We recommend that the Office of the Chief Financial Officer, Information\n               Security Officer:\n\n               1. \t Update the MOU process to include formal security Standards that\n                    require program and regional offices to actively monitor the security\n                    status of systems that share data with IFMS. These standards should\n                    require all system owners to:\n\n                   a. \t Perform network vulnerability testing at least quarterly in\n                        accordance with NIST 800-42, Guideline on Network Security\n                        Testing, and remediate identified vulnerabilities in a timely\n                        manner.\n\n                   b. \tMonitor the use of and access to high-level system functions (such\n                       as Accountability, Least Privilege, Separation of Duties, etc.) at\n                       least monthly to ensure adequate controls are applied and effective.\n\n\n\n\n                                         7\n\n\x0c                    c. \tCertify that the program/regional office has put in place oversight\n                        processes to ensure these information security standards are met.\n\n                2. \t Request from OEI access to information regarding the implementation\n                     status of high-risk CSIRC critical system patches for systems that\n                     share data with IFMS.\n\n                3. \t Develop and implement formal procedures to ensure all OCFO system\n                     owners timely and accurately report progress for implementing\n                     Computer Security Incident Response Capability critical system\n                     patches.\n\n         We recommend the Director of Office of Technology Operations and Planning within\n         the Office of Environmental Information:\n\n                4. \t Strengthen, formalize, and evaluate the effectiveness of the followup\n                     procedures for obtaining complete responses from program and\n                     regional offices regarding high-level critical system patch alerts.\n\n                5. \t Develop and implement a formal process to share EPA-wide status\n                     reports with ISOs regarding implementation of CSIRC critical system\n                     patches.\n\n         We recommend the system owners for the (1) Budget Automated System (OCFO\n         System), (2) Financial Data Warehouse (OCFO System), and (3) Integrated\n         Resources Management System (ORD System):\n\n                6. \t Correct all identified system weaknesses disclosed in Appendix A.\n\n                7. \t Develop a Plan of Action and Milestones in the Agency\xe2\x80\x99s security\n                     weakness tracking system (ASSERT database) for all uncorrected\n                     deficiencies disclosed in Appendix A.\n\nAgency Response and OIG Comments\n         ORD concurred with the report findings and recommendations. However, OCFO\n         officials did not agree with the report recommendations, citing that its current\n         MOU process provided the appropriate level of oversight. OEI officials also did\n         not agree with the report\xe2\x80\x99s recommendations. OEI indicated the office has a\n         process in place for tracking responses to high-level critical system patch alerts.\n         In addition, OEI indicated that the office\xe2\x80\x99s current status report provided to\n         management and ISOs for the purpose of their distributed oversight is sufficient.\n\n         We met with Agency officials from all three offices subsequent to receiving their\n         responses to the draft report. Based on our discussions, OCFO and OEI officials\n         agreed that the offices could take more steps to improve the current processes and\n\n\n                                          8\n\n\x0cstrengthen database security. As such, OCFO agreed to modify its MOU process\nto provide more specificity to system owners with systems that share data with\nIFMS. OCFO also agreed to take steps to ensure all OCFO system owners timely\nand accurately report progress for implementing critical system patches. OEI\nofficials agreed to formalize their CSIRC followup procedures and make critical\npatch reports more available. Where appropriate, we modified the report to\naddress the offices\xe2\x80\x99 concerns and our discussions.\n\nOEI and ORD provided a corrective action plan to address the report\xe2\x80\x99s findings\nand recommendations. OCFO updated its response to the report and indicated\nthat the office would provide a corrective action plan to address the remaining\nopen recommendations. Complete responses are provided in Appendices B, C,\nand D.\n\n\n\n\n                                9\n\n\x0c                                  Status of Recommendations and\n                                    Potential Monetary Benefits\n\n                                                                                                                                        POTENTIAL MONETARY\n                                                         RECOMMENDATIONS                                                                 BENEFITS (in $000s)\n\n    Rec.    Page                                                                                                         Planned        Claimed    Agreed To\n    No.      No.                          Subject                           Status1         Action Official           Completion Date   Amount      Amount\n\n     1        7     Update the MOU process to include formal security         O       Information Security Officer,\n                    Standards that require program and regional                       Office of the Chief Financial\n                    offices to actively monitor the security status of                            Officer\n                    systems that share data with IFMS. These\n                    standards should require all system owners to:\n                   a. Perform network vulnerability testing at least\n                      quarterly in accordance with NIST 800-42,\n                      Guideline on Network Security Testing, and\n                      remediate identified vulnerabilities in a timely\n                      manner.\n                   b. Monitor the use of and access to high-level\n                      system functions (such as Accountability, Least\n                      Privilege, Separation of Duties, etc.) at least\n                      monthly to ensure adequate controls are applied\n                      and effective.\n                   c. Certify that the program/regional office has put\n                      in place oversight processes to ensure these\n                      information security standards are met.\n\n     2        8     Request from OEI access to information regarding          O       Information Security Officer,\n                    the implementation status of high-risk CSIRC                      Office of the Chief Financial\n                    critical system patches for systems that share data                           Officer\n                    with IFMS.\n\n     3        8     Develop and implement procedures to ensure all            O       Information Security Officer,\n                    OCFO system ownes timely and accurately report                    Office of the Chief Financial\n                    progress for implementing CSIRC critical system                               Officer\n                    patches.\n\n     4        8     Strengthen, formalize, and evaluate the                   C           Director, Office of           08/01/2007\n                    effectiveness of the followup procedures for                      Technology Operations and\n                    obtaining complete responses from program and                             Planning\n                    regional offices regarding high-level critical system\n                    patch alerts.\n\n     5        8     Develop and implement a process to share EPA-             C           Director, Office of           08/01/2007\n                    wide status reports with Information Security                     Technology Operations and\n                    Officers regarding implementation of CSIRC critical                       Planning\n                    system patches.\n\n     6        8     Correct all identified system weaknesses disclosed        C           BAS System Owner              BAS-05/2006\n                    in Appendix A.                                                       FDW System Owner               FDW-08/2006\n                                                                                         IRMS System Owner             IRMS-04/ 2006\n\n     7        8     Develop a Plan of Action and Milestones in the            C           BAS System Owner               BAS \xe2\x80\x93 N/A\n                    Agency\xe2\x80\x99s security weakness tracking system                           FDW System Owner               FDW \xe2\x80\x93 N/A\n                    (ASSERT database) for all uncorrected                                IRMS System Owner              IRMS \xe2\x80\x93 N/A\n                    deficiencies disclosed in Appendix A.\n\n\n1    O = recommendation is open with agreed-to corrective actions pending\n     C = recommendation is closed with all agreed-to actions completed\n     U = recommendation is undecided with resolution efforts in progress\n\n\n\n\n                                                                                  10\n\n\x0c                                                                                                    Appendix A\n\n       High-Level Summary of Specific Technical\n     Weaknesses by EPA Program Office and System2\n\n\n             This Appendix is for restricted distribution. This Appendix contains\n             material that is confidential business information, proprietary\n             information, or source selection information. Unauthorized\n             disclosure of this Appendix or any of its content may violate the\n             provisions of the Trade Secrets Act, 18 U.S.C. 1905; the Procurement\n             Integrity Act, 41 U.S.C. 423; the Freedom of Information Act, 5\n             U.S.C. 552; the Privacy Act, 5 U.S.C. 552a; and/or the Federal\n             Acquisition Regulation, Section 3.104 (48 CFR 3.104). Due to the\n             sensitive nature of these findings, the Office of Inspector General\n             removed this Appendix from the public version of the report.\n\n\n\n\n2\n  A detailed listing of technical weaknesses was provided to the respective Program Office officials. The detailed\nlisting identified the specific weaknesses, to include background information on the weaknesses and possible\nmethods the system owner could use to correct the weaknesses.\n\n\n                                                         11\n\x0c                                                                                  Appendix B\n\n          Non-Sensitive Portion of OCFO\xe2\x80\x99s and OEI\xe2\x80\x99s \n\n          Combined Response to Draft Audit Report \n\n                                       February 23, 2007\n\n\nMEMORANDUM\n\n\nSUBJECT:      Office of the Chief Financial Officer (OCFO) Response to the Office of Inspector\n              General\xe2\x80\x98s (OIG) Draft Audit Report \xe2\x80\x93 EPA Needs to Strengthen Financial\n              Database Security Oversight and Monitor Compliance, Dated January 11, 2007,\n              Assignment No. 2006-000442\n\nFROM:         Krista Mainess, Director\n              Office of Program Management\n              Office of the Chief Financial Officer\n\nTO:           Rudy Brevard\n              Acting Director, Business Systems Audits\n\n        We appreciate the opportunity to provide written comments on the subject draft audit\nreport. The OCFO remains firmly committed to securing its systems and data in a cost effective\nmanner and in accordance with Federal guidance, EPA policy, and best practices.\n\n       If you or your staff have any questions or need additional information concerning our\nresponse to the subject draft report, contact Bob Shields, IT Team Leader, at 202-564-0123.\n\n\ncc: \t   Lyons Gray, OCFO\n        Maryann Froehlich, OCFO\n        Lorna McAllister, OCFO\n        David Bloom, OCFO\n        Mitch Gray, OCFO\n        Myra Galbreath, OEI\n        Marian Cody, OEI\n        Pat Hill, OIG\n\n\n\n\n                                               12\n\n\x0cBelow you will find general comments on the entire report as well as specific comments related\nto each recommendation.\n\nOCFO\xe2\x80\x99s General Comment:\nMuch of the audit text appears to be based on the assumption that IFMS \xe2\x80\x9cshares data\xe2\x80\x9d with\nFDW, BAS, and IRMS, but the report provides no details on what this means.\n\nHere are details on each system\xe2\x80\x99s relationship to IFMS. The FDW copies data from IFMS for\nreporting. IFMS receives no data from the FDW. BAS has no connection to send or receive data\nwith IFMS. IRMS transmits commitment and reprogramming documents to IFMS. Those\ndocuments are subject to all IFMS edits before they are processed so there are already safeguards\nbuilt into the process.\n\nTransactions entered in IFMS are monitored by a particular user community. For example, if\nIRMS transmitted invalid commitments to IFMS that still passed the accounting string and funds\navailability edits, they would be discovered by ORD (the owner of IRMS) and corrected. The\nOCFO, Office of Budget in their annual closeout memo requires allowance holders to monitor\ntheir available funds. They issued their 2007 closeout memo on December 18, 2006.\n\nAnother example of a transaction control on IFMS data is the annual year-end certification of\nunliquidated obligations. Allowance holders are required to certify to OFM that their\nunliquidated obligation balances in IFMS are correct. This requirement is documented in the\nannual financial statement audit commitment memorandum signed by the Chief Financial\nOfficer and the Inspector General. Details on the process are included in the OFM year end\nclosing memo.\n\nFinally, many of the recommendations directed toward the OCFO ISO are the responsibility of\nthe individual system owners, according to EPA\xe2\x80\x99s Information Security Manual 2195A.\n\nOARM\xe2\x80\x99s General Comment:\nSLATE does not receive nor send data to IFMS.\n\nOEI\xe2\x80\x99s General Comment:\nThe procedures requested for developing and implementing recommendation #3 were in place\nprior to this audit finding and have been previously provided.\n\nIn addition, the following inaccuracies in the draft audit are noted. One area of concern is the\napparent confusion regarding CSIRC\xe2\x80\x99s roles and responsibilities. CSIRC maintains an inventory\nof the Agency\xe2\x80\x99s technologies so that they can notify the Information Security Officers to upgrade\nor patch their systems. CSIRC is not responsible for determining which informational systems\nare critical to the Agency. However, CSIRC does determine which patch is critical.\n\n\n\n\n                                               13\n\n\x0cOIG recommendations and corresponding OCFO/OEI responses are as follows: \n\n\nOIG Recommendation #1: \n\nThe Information Security Officer (ISO) within the Office of the Chief Financial Officer (OCFO) \n\nupdate the Memorandum of Agreement process to include formal security standards that require \n\nthe program/regional offices to actively monitor the security status of systems that share data \n\nwith IFMS. These standards should require all system owners to: \n\n\n       a. Perform network vulnerability testing at least quarterly in accordance with\n       NIST 800-42, Guideline on Network Security Testing, and remediate identified\n       vulnerabilities in a timely manner.\n\n       b. Monitor the use of and access to high-level system functions (such as\n       Accountability, Least Privilege, Separation of Duties, etc.) at least monthly to\n       ensure adequate controls are applied and effective.\n\n       c. Certify that the program/regional office has put in place oversight processes to\n       ensure these information security standards are met.\n\nCFO Response to Recommendation #1:\nThe OCFO agrees with this recommendation.\n\n\nOIG Recommendation #2:\nThe ISO within OCFO request from OEI access to information regarding the implementation\nstatus of high risk CSIRC critical system patches for systems that share data with IFMS.\n\nOCFO Response to Recommendation #2:\nThe OCFO agrees with this recommendation.\n\n\nOIG Recommendation #3:\nThe ISO within OCFO send out a notification to all OCFO system owners reminding them of the\ncriticality of timely and accurately reporting the status of implementing CSIRC critical system\npatches.\n\nOCFO Response to Recommendation #3:\nThe OCFO agrees with this recommendation.\n\n\nOEI Recommendation #4:\nDevelop and implement follow-up procedures to obtain complete responses from program and\nregional offices regarding high-level critical system patch alerts.\n\nOEI Response to Recommendation #4:\nOEI does not concur with this recommendation.\n\n\n\n                                                14\n\n\x0cOEI/OTOP has a process in place for tracking responses to high-level critical system patch\nalerts, which includes following up with Information Security Officers (ISOs). If the system is a\nMicrosoft based platform, CSIRC uses PatchLink for progress reports and contacts ISOs\nregarding any delay in patch implementation. In addition, CSIRC acts as a liaison between\nNetwork Infrastructure Services (NIS http://lansys.epa.gov/ )ISOs and PatchLink\nAdministrators regarding any problems with patch deployment. If the system is not a Microsoft\nbased platform, the ISOs are responsible for reporting the patch status to CSIRC. CSIRC\nfollows up according to the time constraints provided in the CSIRC-Alert. For a critical or high-\nlevel patch, response is required within two business days. If a response is not received, CSIRC\ncontacts all ISOs with applicable systems in their area for patch status information. It should be\nnoted that the responsibility for the patching of systems does not fall under CSIRC. It is the\nresponsibility of each region and program office to act on CSIRC-Alerts and patch their systems\naccordingly.\n\nIn addition, CSIRC has provided information to NCC Security regarding the potential impact\nthat unimplemented critical patches have on the Agency\xe2\x80\x99s network resources in emails, Security\nIncident Request (SIR) tickets, and Quarterly Reports. CSIRC does not implement or govern\npatch deployment, nor does it have the authorization to enforce.\n\n\nOIG Recommendation #5:\nDevelop and implement a process to share EPA-wide status reports with Information Security\nOfficers regarding implementation of CSIRC critical system patches.\n\nOEI Response to Recommendation #5:\nOEI does not concur with this recommendation.\n\nTraditionally, the Agency has maintained that the specific vulnerabilities and security postures of\nthe regions and program offices will not be shared EPA-wide. However, we currently provide\nreporting status to management and ISOs for the purpose of their distributed oversight. OTOP\nwill continually work to create a more streamlined reporting process.\n\n\n\n\n                                                15\n\n\x0c                                                                      Appendix C\n\n\nOCFO\xe2\x80\x99s Response to Recommendations Associated\n  with Sensitive Technical Control Weaknesses\n            Disclosed in Appendix A\n\n\n    This Appendix is for restricted distribution. This Appendix contains\n    material that is confidential business information, proprietary\n    information, or source selection information. Unauthorized\n    disclosure of this Appendix or any of its content may violate the\n    provisions of the Trade Secrets Act, 18 U.S.C. 1905; the Procurement\n    Integrity Act, 41 U.S.C. 423; the Freedom of Information Act, 5\n    U.S.C. 552; the Privacy Act, 5 U.S.C. 552a; and/or the Federal\n    Acquisition Regulation, Section 3.104 (48 CFR 3.104). Due to the\n    sensitive nature of these findings, the Office of Inspector General\n    removed this Appendix from the public version of the report.\n\n\n\n\n                                    16\n\n\x0c                                                                      Appendix D\n\n\nORD\xe2\x80\x99s Response to Recommendations Associated\n  with Sensitive Technical Control Weaknesses\n            Disclosed in Appendix A\n\n\n    This Appendix is for restricted distribution. This Appendix contains\n    material that is confidential business information, proprietary\n    information, or source selection information. Unauthorized\n    disclosure of this Appendix or any of its content may violate the\n    provisions of the Trade Secrets Act, 18 U.S.C. 1905; the Procurement\n    Integrity Act, 41 U.S.C. 423; the Freedom of Information Act, 5\n    U.S.C. 552; the Privacy Act, 5 U.S.C. 552a; and/or the Federal\n    Acquisition Regulation, Section 3.104 (48 CFR 3.104). Due to the\n    sensitive nature of these findings, the Office of Inspector General\n    removed this Appendix from the public version of the report.\n\n\n\n\n                                    17\n\n\x0c                                                                            Appendix E\n\n\n                                    Distribution\n\nOffice of the Administrator\nChief Financial Officer (CFO)\nAssistant Administrator for Environmental Information\nAssistant Administrator for Research and Development\nAgency Followup Coordinator\nAudit Followup Coordinator, Office of the Chief Financial Officer\nAudit Followup Coordinator, Office of Environmental Information\nAudit Followup Coordinator, Office of Research and Development\nAssociate Administrator for Congressional and Intergovernmental Relations\nAssociate Administrator for Public Affairs\nOffice of General Counsel\nActing Inspector General\n\n\n\n\n                                             18\n\n\x0c'